rook: Object store user create/update reconcile failed due to invalid certificate

Is this a bug report or feature request?

  • Bug Report

Deviation from expected behavior:

Expected behavior: Using an invalid certificate for S3 RGW leads to object store user create/update reconcile failed

**2021-10-18 13:46:07.309996 E | ceph-object-store-user-controller: failed to reconcile failed to create/update object store user "s3-monitor-user": failed to get details from ceph object user "s3-monitor-user": Get "https://rook-ceph-rgw-backup.par-ns1-preprod.svc:19000/admin/user?display-name=User%20used%20to%20get%20ceph%20admin%20radosgw%20metrics&format=json&max-buckets=1000&uid=s3-monitor-user": x509: certificate is valid for *.XXXX.CCCC, XXXX.CCCC, not rook-ceph-rgw-backup.par-ns1-preprod.svc

Since #8712 the bucket health checks does not check certificate but still check for user reconcile. I’m wondering if there is a security concern that leads to set insecure to false in rgw.go: https://github.com/rook/rook/pull/8712/files#diff-00d4604932102df57560a4811e89064acd51ec541a5ef439b3f14cbf0a54d791R364 or if it is fine to just set it to true

How to reproduce it (minimal and precise):

File(s) to submit:

  • Cluster CR (custom resource), typically called cluster.yaml, if necessary
  • Operator’s logs, if necessary
  • Crashing pod(s) logs, if necessary

To get logs, use kubectl -n <namespace> logs <pod name> When pasting logs, always surround them with backticks or use the insert code button from the Github UI. Read Github documentation if you need help.

Environment:

  • OS (e.g. from /etc/os-release):
  • Kernel (e.g. uname -a):
  • Cloud provider or hardware configuration:
  • Rook version (use rook version inside of a Rook Pod): 1.7.5
  • Storage backend version (e.g. for ceph do ceph -v):
  • Kubernetes version (use kubectl version):
  • Kubernetes cluster type (e.g. Tectonic, GKE, OpenShift):
  • Storage backend status (e.g. for Ceph use ceph health in the Rook Ceph toolbox):

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 20 (11 by maintainers)

Most upvoted comments

Hi, I’m having a similar issue, when trying to create a bucket it fails with error that saying the certificate is not valid for rook-ceph-rgw-store-deck.rook-ceph.svc

+2
galbeniluz on Jul 11, 2022
Read more comments on GitHub
← rook: Nodes defined in cluster are not getting init by operator
rook: ObjectBucketClaim: Subsequent credentials do not have access to bucket →